#!/bin/sh
# Revision 0.2 Mon Mar 03 12:29:00 EST 2008
#
# Copyright (c) 2006 Dominique Goncalves
# Copyright (c) 2006 Andrei Kolu 
# Modified 2008 Kris Moore (PC-BSD Software)
#
# See COPYING for licence terms.

# 06-03-2008 - Kris Moore (PC-BSD Software)
# Added option to open specific ports by passing variables

pf_rules="/etc/pf.conf"

if [ -e "$pf_rules" ] ; then
   echo "${pf_rules} already exists!"
   echo "Remove this file first to re-generate ruleset"
   exit 1
fi

echo "Creating $pf_rules."
echo "set skip on lo0" > $pf_rules
echo "set block-policy return" >> $pf_rules
echo "scrub in all" >> $pf_rules
echo "antispoof quick for lo0 inet" >> $pf_rules
# block anything coming from source we have no back routes for
echo "block in from no-route to any" >> $pf_rules

echo "# Block all other incoming" >> $pf_rules
echo "block in log" >> $pf_rules

echo ''  >> $pf_rules
echo '# Allow all outgoing traffic' >> $pf_rules
echo "pass out keep state" >> $pf_rules

# Deny all from our blacklist
echo ''  >> $pf_rules
echo '# Block blacklist'  >> $pf_rules
echo 'table <blacklist> persist file "/etc/blacklist"'  >> $pf_rules
echo "block from <blacklist> to any" >> $pf_rules

echo ''  >> $pf_rules
echo "# Enable ICMP for IPv4 IPv6" >> $pf_rules
echo "pass proto icmp all" >> $pf_rules
echo "pass proto icmp6 all" >> $pf_rules
#############################################################

echo ''  >> $pf_rules
echo '# Nic Specific Rules'  >> $pf_rules

DEVLIST=`ifconfig -l`

echo ${DEVLIST} | grep "lagg0" >/dev/null 2>/dev/null
if [ "$?" != "0" ] ; then
  DEVLIST="${DEVLIST} lagg0"
fi

for inf in ${DEVLIST} ; do
  if `echo $inf | egrep -v 'lo|plip|gif|tun|pfsync' 1>/dev/null` ; then

  # Ports from 49152 to 65535 is needed for SMB and other connectivity
  echo "pass in quick on $inf proto {tcp,udp} from any to any port 49152:65535 keep state" >> $pf_rules

  # Setup the default UDP entries
  echo "pass in quick on $inf proto udp from any to ($inf) port 137 keep state" >> $pf_rules
  echo "pass in quick on $inf proto udp from any to ($inf) port 138 keep state" >> $pf_rules
  echo "pass in quick on $inf proto udp from any to ($inf) port 111 keep state" >> $pf_rules
  echo "pass in quick on $inf proto udp from any to ($inf) port 1110 keep state" >> $pf_rules
  echo "pass in quick on $inf proto udp from any to ($inf) port 2049 keep state" >> $pf_rules
  echo "pass in quick on $inf proto udp from any to ($inf) port 4045 keep state" >> $pf_rules
  echo "pass in quick on $inf proto udp from any to ($inf) port 5353 keep state" >> $pf_rules
  echo "pass in quick on $inf proto udp from any to 224.0.0.251/32 port 5353 keep state" >> $pf_rules


  # Setup the default TCP entries
  echo "pass in quick on $inf proto tcp from any to ($inf) port 445 keep state" >> $pf_rules
  echo "pass in quick on $inf proto tcp from any to ($inf) port 137 keep state" >> $pf_rules
  echo "pass in quick on $inf proto tcp from any to ($inf) port 139 keep state" >> $pf_rules
  echo "pass in quick on $inf proto tcp from any to ($inf) port 111 keep state" >> $pf_rules
  echo "pass in quick on $inf proto tcp from any to ($inf) port 1110 keep state" >> $pf_rules
  echo "pass in quick on $inf proto tcp from any to ($inf) port 4045 keep state" >> $pf_rules
  echo "pass in quick on $inf proto tcp from any to ($inf) port 5353 keep state" >> $pf_rules


    # Check if there are any extra ports to open and do so
    if [ ! -z "$@" ]
    then
       for port in "$@"
       do
         echo "pass in quick on $inf proto udp from any to ($inf) port ${port} keep state" >> $pf_rules
         echo "pass in quick on $inf proto tcp from any to ($inf) port ${port} keep state" >> $pf_rules
       done
    fi
			
  fi
done

